During secure data exchanges between two parties, cryptographic protocols are used to verify and authenticate communications in order to ensure that the communications are genuine. This protects the communications from being monitored or altered. These cryptographic protocols can be used for example, between a computer and a remote server or during payment transactions to establish secure data exchanges.
Electronic authorisation systems for payment transactions use cryptographic protocols such as those developed by EMVCo LLC which are published as specifications entitled “Integrated Circuit Card Specifications for Payment Systems”. These specifications are publically available and are presently at version 4.3 (currently available at http://www.emvco.com/specifications.aspx).
The specifications define a set of requirements to ensure interoperability between payment devices, e.g. contact or contactless integrated circuit chip cards, and Points of Interaction (POIs), e.g. card terminals or ATMs. This interoperability is on a global basis, regardless of the manufacturer, financial institution, or where the card is used.
Payment transactions involve cryptographic protocols that make use of unpredictable random numbers. Typically, these random numbers are newly generated for each payment transaction. Without randomness from the random numbers, the payment transactions are deterministic and hence susceptible to fraud as they could be simulated, cloned or modified. The ability for a POI to generate truly unpredictable numbers is therefore important to the security of payment transactions.
A paper presented at the Workshop on Cryptographic Hardware and Embedded Systems in 2009 by A. T. Markettos and S. W. Moore entitled “The Frequency Injection Attack on Ring-Oscillator-Based True Random Number Generators” discusses an example of a vulnerability in existing Random Number Generators (RNGs) used in POIs. The paper discloses that applying an electromagnetic field at certain frequencies to a ring-oscillator-based RNG (a type of hardware RNG commonly used in POIs) can significantly limit the range of possible numbers that the RNG will randomly pick from. The reduction in possible numbers means that payment transactions are more easily simulated, cloned or modified.
Against this background, the present invention aims to provide improved unpredictable number generation.